How is the banking Trojan distributed and what does GitLab have to do with it?
Visa has warned of an increase in the activity of a new version of JsOutProx malware targeting financial institutions and their customers. The campaign targeted institutions in South and Southeast Asia, the Middle East, and Africa.
The new Remote Access Trojan (RAT) has been distributed as part of a phishing campaign since March 27, according to BleepingComputer, referring to the allegations of the Visa Fraud Prevention Unit (PFD).
JsOutProx, first discovered in December 2019, is a heavily obfuscated JavaScrip backdoor that allows operators to run shell commands, download additional useful data, execute files, take screenshots, maintain persistence on an infected device, and control the keyboard and mouse.
The purpose of the campaign is not fully clear, but it is assumed that attackers could target financial institutions in order to conduct fraudulent transactions. Visa has proposed a number of mitigation measures, including raising awareness of phishing risks, using EMV and secure payment acceptance technologies, protecting remote access, and monitoring suspicious transactions.
Resecurity specialists in their report revealed the details of the phishing operation, noting that the malware has evolved, improving its ability to evade detection and using GitLab to host its downloads.
Hacker account activity onGitLab
Victims were sent fake email notifications on behalf of official institutions with attached ZIP archives containing JavaScript files. When you run files, the JsOutProx malware is downloaded to your computer.
The new malware modification includes tools for changing proxy settings, managing DNS to redirect and mask traffic, stealing data from the clipboard, and bypassing two-factor authentication by stealing one-time passwords. Analysts suggest that a Chinese group may be behind the attacks, given the complexity of the attacks, the profile of the targets and their geographical location.
Visa has warned of an increase in the activity of a new version of JsOutProx malware targeting financial institutions and their customers. The campaign targeted institutions in South and Southeast Asia, the Middle East, and Africa.
The new Remote Access Trojan (RAT) has been distributed as part of a phishing campaign since March 27, according to BleepingComputer, referring to the allegations of the Visa Fraud Prevention Unit (PFD).
JsOutProx, first discovered in December 2019, is a heavily obfuscated JavaScrip backdoor that allows operators to run shell commands, download additional useful data, execute files, take screenshots, maintain persistence on an infected device, and control the keyboard and mouse.
The purpose of the campaign is not fully clear, but it is assumed that attackers could target financial institutions in order to conduct fraudulent transactions. Visa has proposed a number of mitigation measures, including raising awareness of phishing risks, using EMV and secure payment acceptance technologies, protecting remote access, and monitoring suspicious transactions.
Resecurity specialists in their report revealed the details of the phishing operation, noting that the malware has evolved, improving its ability to evade detection and using GitLab to host its downloads.
Hacker account activity onGitLab
Victims were sent fake email notifications on behalf of official institutions with attached ZIP archives containing JavaScript files. When you run files, the JsOutProx malware is downloaded to your computer.
The new malware modification includes tools for changing proxy settings, managing DNS to redirect and mask traffic, stealing data from the clipboard, and bypassing two-factor authentication by stealing one-time passwords. Analysts suggest that a Chinese group may be behind the attacks, given the complexity of the attacks, the profile of the targets and their geographical location.
